Method and apparatus for accelerating sssd service to remove deleted ldap user information
By installing a monitoring module on the LDAP client, user operations on the LDAP server can be monitored in real time, which solves the problem of LDAP user information not being updated in a timely manner in the SSSSD service, ensuring system security and response speed.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- SHANGHAI XIAOYUN INFORMATION TECH CO LTD
- Filing Date
- 2026-04-17
- Publication Date
- 2026-06-19
AI Technical Summary
Under the enumeration caching mechanism, the SSSD service may still recognize a user even after the LDAP server deletes the user, leading to security risks. Furthermore, frequent cache updates may cause slow login responses and unusable offline states.
By installing a monitoring module on the LDAP client, user account operations on the LDAP server are monitored in real time, including deletion, modification, or addition of user accounts. Update requests are then sent to the SSSSD service to update the user information list in the enumeration cache.
It enables the LDAP client to instantly clean up deleted user information, avoids security risks, ensures system response speed and normal use in offline states, and reduces the frequency of cache updates.
Smart Images

Figure CN122241720A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of computers, and in particular to a method and apparatus for accelerating the removal of deleted LDAP user information by the SSSD service. Background Technology
[0002] LDAP stands for Lightweight Directory Access Protocol. In the computer field, it is often used to implement user services. Specifically, it enables centralized user management; for example, accounts registered on an LDAP server can be authenticated and logged in from other hosts using LDAP clients. Currently, the most common LDAP client on Linux operating systems is the system service SSSSD. Figure 1 As shown, once the Sssd service on a Linux host is configured with the correct LDAP server address and other information, the username, user ID, group ID, and other information configured on the LDAP server can be queried through the command line, and this information can be used for login authentication.
[0003] To improve response speed, provide offline access to LDAP user information, and avoid potential system stability issues caused by frequently fetching the complete user information list from the LDAP server, the mainstream usage of SSSSD is to configure enumeration caching. This means that SSSSD caches the LDAP server's user information list locally and updates it periodically in chunks. The default configurable cache refresh interval for SSSSD is 5400 seconds.
[0004] Under the enumeration caching mechanism, after the LDAP server deletes a user, the client (SSSD) will still consider the user to exist for a considerable period of time, allowing the user to still log in on the LDAP client host, posing a security risk. Figure 2 As shown, even after the server has deleted user usr1, the client will still consider the user to exist for a certain period of time. Only after the client refreshes its cache will the user information be deleted from the client. Although the cache refresh interval can be adjusted to a smaller value to increase the frequency of cache refresh, frequent cache updates may cause problems such as slow login response and inability to use the service offline. Summary of the Invention
[0005] The purpose of this invention is to provide a method and device for accelerating the removal of deleted LDAP user information by the Sssd service.
[0006] To address the above problems, this invention provides a method for accelerating the removal of deleted LDAP user information by the SSSD service, comprising: An LDAP client with the Sssd service installed communicates with the default LDAP server to retrieve the user information list configured on the LDAP server. The Sssd service uses an enumeration cache to store the user information list retrieved from the LDAP server. The monitoring module, which monitors the operations of the LDAP server through the LDAP client, monitors the deletion of user accounts. When the monitoring module receives a user account deletion operation from the LDAP server, it sends an update request to the SSSSD service for the user information list stored in the enumeration cache. The Sssd service responds to the update request by discarding the deleted user information in the enumeration cache, thereby updating the list of user information stored in the enumeration cache.
[0007] Furthermore, in the above method, the monitoring module of the LDAP client, which monitors the operations of the LDAP server, monitors the user account deletion operation, including: Install a monitoring module on each LDAP client to monitor the operations of the LDAP server, register the monitoring module with the LDAP server, and monitor user account deletion operations.
[0008] Furthermore, in the above method, after the Sssd service responds to the update request and discards the deleted user information in the enumeration cache to update the list of user information stored in the enumeration cache, it also includes: The LDAP client obtains a user request to query a user account in the user information list or to attempt to log in with a user account. SSSD queries the saved user information list based on the user request. If the user account is not found, it returns information to the LDAP client that the user account cannot be found, or directly rejects the login request of the user account.
[0009] Furthermore, in the above method, after monitoring the user account deletion operation through the monitoring module of the LDAP client monitoring the operations of the LDAP server, the method further includes: The monitoring module, which monitors the operations of the LDAP server through the LDAP client, monitors user account modification or addition operations; When the monitoring module receives a user modification or addition operation from the LDAP server, it sends an update request to the SSSSD service for the corresponding user information list stored in the enumeration cache. The Sssd service responds to the update request by modifying or adding user information in the enumeration cache, thereby updating the list of user information stored in the enumeration cache.
[0010] Furthermore, in the above method, the monitoring module of the LDAP client monitors the operations of the LDAP server, including monitoring user account modification or addition operations, such as: If the monitoring module is online, user account modification or addition operations can be directly obtained through the monitoring module; If the monitoring module is offline, restarting the monitoring module will automatically retrieve change logs from the LDAP server, and retrieve user account modification or addition operations from the change logs.
[0011] Furthermore, in the above method, the monitoring module of the LDAP client that monitors the operations of the LDAP server monitors the user account deletion operation, including: If the monitoring module is online, the user account deletion operation can be directly obtained through the monitoring module; If the monitoring module is offline, restarting the monitoring module will automatically retrieve change logs from the LDAP server and retrieve the user account deletion operation based on the change logs.
[0012] According to another aspect of the present invention, a device for accelerating the removal of deleted LDAP user information by an SSSSD service is also provided, comprising: An LDAP client with the Sssd service installed communicates with the default LDAP server to retrieve the user information list configured on the LDAP server. The Sssd service uses an enumeration cache to store the user information list retrieved from the LDAP server. The monitoring module of the LDAP client monitors the operations of the LDAP server, and is used to monitor the deletion of user accounts; when the monitoring module receives the deletion of user accounts from the LDAP server, it sends an update request to the SSSD service for the corresponding list of user information stored in the enumeration cache. The Sssd service is used to respond to the update request by discarding the deleted user information in the enumeration cache, so as to update the list of user information stored in the enumeration cache.
[0013] Furthermore, in the aforementioned device, the monitoring module is installed on each LDAP client. The monitoring module is used to register with the LDAP server and monitor user account deletion operations.
[0014] According to another aspect of the present invention, a computer-readable storage medium is also provided, having stored thereon computer-executable instructions, wherein when executed by a processor, the computer-executable instructions cause the processor to perform the method described in any of the preceding claims.
[0015] According to another aspect of the present invention, a calculator device is also provided, comprising: Processor; and A memory configured to store computer-executable instructions, which, when executed, cause the processor to perform the method described in any of the preceding descriptions.
[0016] Compared to existing technologies, this invention relates to the process of managing user information in an LDAP domain using the SSSD system service on the client side of the LDAP protocol, and provides a method to help the SSSD system service on the Linux operating system accelerate the discarding of deleted LDAP user information. To address the security vulnerabilities caused by the enumeration cache design of SSSD, this invention adopts the RFC 4533 standard supported by mainstream LDAP server implementations, enabling the immediate clearing of related entries for the user information stored in the SSSD enumeration cache after the LDAP server deletes a user. By introducing a listening module that registers with the LDAP server to monitor user account changes, and proactively triggering the SSSD to update cache entries upon receiving real-time account change information, the invention ensures that the LDAP server's user deletion operation is detected in real-time by the listening module, immediately notifying the SSSD to update cache entries without waiting for the next complete cache update cycle. Attached Figure Description
[0017] Figure 1 This is a diagram illustrating the existing connection relationships between LDAP servers and clients, where each server can connect to multiple clients. Figure 2 The existing mechanism is that even after user usr1 has been deleted on the server, the client will still consider the user to exist for a certain period of time. Figure 3 This is a flowchart of a method for accelerating the removal of deleted LDAP user information by the Sssd service according to an embodiment of the present invention; Figure 4 This is a schematic diagram illustrating how the server's user deletion operation is acquired in real time by the listening module after the introduction of a listening module in an embodiment of the present invention. Detailed Implementation
[0018] To make the above-mentioned objects, features and advantages of the present invention more apparent and understandable, the present invention will be further described in detail below with reference to the accompanying drawings and specific embodiments.
[0019] like Figure 1 As shown, the present invention provides a method and apparatus for accelerating the removal of deleted LDAP user information by the SSSD service, comprising: Step S1: The LDAP client of the Sssd service is installed and communicates with the preset LDAP server to pull the user information list configured on the LDAP server. The Sssd service uses an enumeration cache to store the user information list pulled from the LDAP server. Here, one or more of the user's hosts have the Sssd service installed as an LDAP client to communicate with the preset LDAP server and obtain the user information list configured on the LDAP server. Step S2: Monitor the user account deletion operation through the monitoring module of the LDAP client that monitors the operation of the LDAP server; Preferably, a monitoring module for monitoring the operations of the LDAP server can be installed on each LDAP client, and the monitoring module can be registered with the LDAP server to monitor user account deletion operations.
[0020] Step S3: When the monitoring module receives the user account deletion operation from the LDAP server, it sends an update request to the SSSSD service for the user information list stored in the enumeration cache. In step S4, the Sssd service responds to the update request by discarding the deleted user information in the enumeration cache, thereby updating the list of user information stored in the enumeration cache.
[0021] Specifically, when the Sssd service receives a cache update request from the monitoring module, it specifies the user to be deleted, such as usr1. The Sssd service then traverses the local enumeration cache, finds all entries corresponding to usr1 (username, UID, GID, group relationship, etc.), deletes them, and then the information for usr1 no longer exists in the local cache.
[0022] This invention relates to the process of managing user information in an LDAP domain using the SSSD system service on the client side of the LDAP protocol, and provides a method to help the SSSD system service on the Linux operating system accelerate the discarding of deleted LDAP user information. To address the security vulnerabilities caused by the enumeration cache design of SSSD, this invention adopts the RFC 4533 standard supported by mainstream LDAP server implementations, enabling the immediate clearing of related entries for the user information stored in the SSSD enumeration cache after the LDAP server deletes a user. By introducing a listening module that registers with the LDAP server to monitor user account changes, and proactively triggering the SSSD to update cache entries upon receiving real-time account change information, the invention ensures that the LDAP server's user deletion operation is detected in real-time by the listening module, immediately notifying the SSSD to update cache entries without waiting for the next complete cache update cycle.
[0023] Preferably, after step S4, the method further includes: In step S5, the LDAP client obtains a user request to query a user account in the user information list or to attempt to log in with a user account. SSSD queries the saved user information list based on the user request. If the user account is not found, it returns information to the LDAP client that the user account cannot be found, or directly rejects the login request of the user account.
[0024] Here, the client user can perform the following actions: on the host, execute a query to retrieve the user list (e.g., getent passwd) or attempt to log in to usr1; The SSSSD service receives user requests: When the SSSSD service receives a local user query or authentication request, it first checks the local enumeration cache. Since usr1 has been cleared, there is no matching entry in the cache. The SSSSD service returns a list of user information that does not contain usr1 to the LDAP client, or directly rejects the login request for usr1. From the LDAP client's perspective, usr1 has completely disappeared and cannot log in or be found.
[0025] Specifically, the working process of the monitoring module is as follows: 1) When the host running the LDAP client (Sssd) starts up, the LDAP client and the listening module are automatically loaded and run; 2) The listening module registers with the LDAP server to listen for user account deletion events; 3. Each time a user account deletion operation is completed on the LDAP server, the listening module will receive information about the deleted user account; 4) The listening module sends a cache entry update request to the SSSSD service of the LDAP client, requesting that the corresponding user account be discarded; 5) When the LDAP client's SSSSD service receives an update request, it discards the user account information; 6) When listing user account information on the LDAP client host at this time, user accounts that have been deleted from the server will no longer appear, and these user accounts cannot be used for login, thus ensuring system security.
[0026] like Figure 3 As shown, this embodiment of the invention introduces a new listening module, which registers with the LDAP server to listen for changes in user accounts. After obtaining the account change information in real time, it actively triggers the SSSSD to update the cache entries.
[0027] like Figure 4 As shown, after introducing the listening module, the LDAP server's operation of deleting a user will be obtained by the listening module in real time, and the SSSSD will be notified immediately to update the cache entry without waiting for the next complete cache update cycle.
[0028] Preferably, in step S2, after monitoring the user account deletion operation through the monitoring module of the LDAP client that monitors the operations of the LDAP server, the method further includes: Step S6: Monitor user account modification or addition operations through the monitoring module of the LDAP client that monitors the operations of the LDAP server; Preferably, step S6 includes: if the monitoring module is online, the user account modification or addition operation is directly obtained through the monitoring module; if the monitoring module is offline, after restarting the monitoring module, the change log is automatically obtained from the LDAP server, and the user account modification or addition operation is obtained from the change log to complete the user account deletion operation missed by the monitoring and ensure eventual consistency of the cache.
[0029] Step S7: When the monitoring module receives a user modification or addition operation from the LDAP server, it sends an update request to the SSSSD service for the corresponding user information list stored in the enumeration cache. In step S8, the Sssd service responds to the update request by modifying or adding user information in the enumeration cache, thereby updating the list of user information stored in the enumeration cache.
[0030] Here, the monitoring module can not only listen for deletions, but also subscribe to entryUUID change events on the LDAP server to accurately detect user attribute modifications, group relationship changes, etc. The change events listened to by the monitoring module carry the change type (add / modify / delete) and the changed fields, avoiding a full cache refresh.
[0031] Preferably, in step S2, the user account deletion operation is monitored through the monitoring module of the LDAP client that monitors the operations of the LDAP server, including: If the monitoring module is online, the user account deletion operation can be directly obtained through the monitoring module; If the monitoring module goes offline, restarting the monitoring module will automatically retrieve the change log from the LDAP server. Based on the change log, the user account deletion operation will be retrieved to complete the monitoring of any missing user account deletion operations and ensure eventual consistency of the cache.
[0032] According to another aspect of the present invention, a device for accelerating the removal of deleted LDAP user information by an SSSSD service is also provided, comprising: An LDAP client with the Sssd service installed communicates with the default LDAP server to retrieve the user information list configured on the LDAP server. The Sssd service uses an enumeration cache to store the user information list retrieved from the LDAP server. The monitoring module of the LDAP client monitors the operations of the LDAP server, and is used to monitor the deletion of user accounts; when the monitoring module receives the deletion of user accounts from the LDAP server, it sends an update request to the SSSD service for the corresponding list of user information stored in the enumeration cache. The Sssd service is used to respond to the update request by discarding the deleted user information in the enumeration cache, thereby updating the list of user information stored in the enumeration cache. Furthermore, in the aforementioned device, the monitoring module is installed on each LDAP client. The monitoring module is used to register with the LDAP server and monitor user account deletion operations.
[0033] According to another aspect of the present invention, a computer-readable storage medium is also provided, having stored thereon computer-executable instructions, wherein when executed by a processor, the computer-executable instructions cause the processor to perform the method described in any of the preceding claims.
[0034] According to another aspect of the present invention, a calculator device is also provided, comprising: Processor; and A memory configured to store computer-executable instructions, which, when executed, cause the processor to perform the method described in any of the preceding descriptions.
[0035] The various embodiments in this specification are described in a progressive manner, with each embodiment focusing on the differences from other embodiments. The same or similar parts between the various embodiments can be referred to each other.
[0036] Those skilled in the art will further recognize that the units and algorithm steps of the various examples described in conjunction with the embodiments disclosed herein can be implemented in electronic hardware, computer software, or a combination of both. To clearly illustrate the interchangeability of hardware and software, the components and steps of the various examples have been generally described in terms of functionality in the foregoing description. Whether these functions are implemented in hardware or software depends on the specific application and design constraints of the technical solution. Those skilled in the art can use different methods to implement the described functions for each specific application, but such implementations should not be considered beyond the scope of this invention.
[0037] Obviously, those skilled in the art can make various modifications and variations to the invention without departing from the spirit and scope of the invention. Therefore, if these modifications and variations fall within the scope of the claims of the invention and their equivalents, the invention is also intended to include these modifications and variations.
Claims
1. A method for accelerating the removal of deleted LDAP user information by an SSSSD service, characterized in that, include: An LDAP client with the Sssd service installed communicates with the default LDAP server to retrieve the user information list configured on the LDAP server. The Sssd service uses an enumeration cache to store the user information list retrieved from the LDAP server. The monitoring module, which monitors the operations of the LDAP server through the LDAP client, monitors the deletion of user accounts. When the monitoring module receives a user account deletion operation from the LDAP server, it sends an update request to the SSSSD service for the user information list stored in the enumeration cache. The Sssd service responds to the update request by discarding the deleted user information in the enumeration cache, thereby updating the list of user information stored in the enumeration cache.
2. The method for accelerating the removal of deleted LDAP user information by the SSSSD service as described in claim 1, characterized in that, The monitoring module, which monitors the operations of the LDAP server through the LDAP client, monitors the user account deletion operation, including: Install a monitoring module on each LDAP client to monitor the operations of the LDAP server, register the monitoring module with the LDAP server, and monitor user account deletion operations.
3. The method for accelerating the removal of deleted LDAP user information by the SSSSD service as described in claim 1, characterized in that, In response to the update request, the Sssd service discards the deleted user information in the enumeration cache. After updating the list of user information stored in the enumeration cache, the service further includes: The LDAP client obtains a user request to query a user account in the user information list or to attempt to log in with a user account. SSSD queries the saved user information list based on the user request. If the user account is not found, it returns information to the LDAP client that the user account cannot be found, or directly rejects the login request of the user account.
4. The method for accelerating the removal of deleted LDAP user information by the SSSSD service as described in claim 1, characterized in that, The monitoring module, which monitors the operations of the LDAP server through the LDAP client, after monitoring the user account deletion operation, also includes: The monitoring module, which monitors the operations of the LDAP server through the LDAP client, monitors user account modification or addition operations; When the monitoring module receives a user modification or addition operation from the LDAP server, it sends an update request to the SSSSD service for the corresponding user information list stored in the enumeration cache. The Sssd service responds to the update request by modifying or adding user information in the enumeration cache, thereby updating the list of user information stored in the enumeration cache.
5. The method for accelerating the removal of deleted LDAP user information by the SSSSD service as described in claim 4, characterized in that, The monitoring module, which monitors the operations of the LDAP server through the LDAP client, monitors user account modification or addition operations, including: If the monitoring module is online, user account modification or addition operations can be directly obtained through the monitoring module; If the monitoring module is offline, restarting the monitoring module will automatically retrieve change logs from the LDAP server, and retrieve user account modification or addition operations from the change logs.
6. The method for accelerating the removal of deleted LDAP user information by the SSSSD service as described in claim 1, characterized in that, The monitoring module, which monitors the operations of the LDAP server through the LDAP client, monitors the user account deletion operation, including: If the monitoring module is online, the user account deletion operation can be directly obtained through the monitoring module; If the monitoring module is offline, restarting the monitoring module will automatically retrieve change logs from the LDAP server and retrieve the user account deletion operation based on the change logs.
7. A device for accelerating the removal of deleted LDAP user information by SSSSD service, characterized in that, include: An LDAP client with the Sssd service installed communicates with the default LDAP server to retrieve the user information list configured on the LDAP server. The Sssd service uses an enumeration cache to store the user information list retrieved from the LDAP server. The monitoring module of the LDAP client monitors the operations of the LDAP server, and is used to monitor the deletion of user accounts; when the monitoring module receives the deletion of user accounts from the LDAP server, it sends an update request to the SSSD service for the corresponding list of user information stored in the enumeration cache. The Sssd service is used to respond to the update request by discarding the deleted user information in the enumeration cache, so as to update the list of user information stored in the enumeration cache.
8. The device for accelerating the removal of deleted LDAP user information by SSSSD service as described in claim 7, characterized in that, The monitoring module is installed on each LDAP client. The monitoring module is used to register with the LDAP server and monitor user account deletion operations.
9. A computer-readable storage medium having stored thereon computer-executable instructions, wherein, When the computer-executable instructions are executed by the processor, the processor causes the processor to perform the method as described in any one of claims 1 to 6.
10. A calculator device, wherein, include: processor; as well as A memory configured to store computer-executable instructions, which, when executed, cause the processor to perform the method as described in any one of claims 1 to 6.